It’s National Cybersecurity Month! Hope You Got a Card!
Hard to believe it’s been a year already, but once again it’s time for National Cyber Security Awareness Month, now entering its 12th year.
Certainly, with security incidents such as Target and Office of Personnel Management, the focus on cybersecurity has intensified recently. This year’s event has a particular nuance for U.S. businesses that issue and take credit cards: the liability switch in credit cards.
Following the rest of the world, the U.S. has begun switching from signature-based credit cards to the chip-and-PIN type, formally known as EMV (Europay, Mastercard, and Visa). Beginning October 1, liability switched to whichever party is the least compliant with the new specifications in certain fraudulent transactions.
In other words, if you’re a small business that hasn’t yet switched over to the cash registers and other devices that accept the new kinds of cards, that could make you the liable party should a card be used for fraud.
This year also featured an update to the Payment Card Industry Data Security Standard (PCI DSS). The major change in version 3.1, which was released in April, was to eliminate the use of the Secure Sockets Layer (SSL), because it was no longer considered safe from hackers, writes Jeremy Lacy in Forbes. (If you’re In Los Angeles, the LA chapter of ISACA is hosting a seminar on PCI DSS 3.1 featuring security consultant Mike Villegas on October 17.)
For those CIOs who feel like they’re the only ones who care about cybersecurity, this year’s theme is “Our Shared Responsibility,” emphasizing how all people—as employees and individuals—need to be concerned about security and aware of the ramifications their actions could have.
The Department of Homeland Security (DHS), which sponsors the event, breaks the month down into individual weeks, with a separate focus and events for each week. In particular, this week is focused on creating a culture of cybersecurity at work, which is intended to highlight the common threats businesses and employees are exposed to and provide resources for businesses and employees to stay safer online and enhance their existing security plans.
In addition, the final week of October is about building the next generation of cyber professionals, which looks to the future of the cybersecurity workforce, focusing on cybersecurity education and awareness in schools at all levels, and emphasizing the need for properly trained cybersecurity professionals. It culminates with the Educause Annual Conference, which focuses on higher education programs in IT.
The DHS also provides a variety of its cybersecurity resources organized for these constituencies, ranging from education to government. There are also resources for industry and small business with more detailed information on nuances such as what sorts of personally identifiable information organizations are entitled to collect on their users and how to report security incidents. Cities, states, and colleges also participate in the program.
A series of Twitter chats has been scheduled, which use the hashtag #ChatSTC, including some intended for a business audience:
- Tuesday, Oct. 6, 11 a.m. – 12 p.m. EDT/8-9 a.m. PDT: Two-factor authentication (#2FactorTuesday)
- Thursday, Oct. 8, 3-4 p.m. EDT/12-1 p.m. PDT: Creating a culture of cybersecurity in your organization.
- Thursday, Oct. 29, 3-4 p.m. EDT/12-1 p.m. PDT: So you want to work in cybersecurity?
The page also includes transcripts of other Twitter chats on cybersecurity topics. Other tips get sent out through Twitter using the #CyberAware hashtag.
Admittedly, most of the NCSAM suggestions are pretty Mom-and-apple-pie stuff—set strong passwords, be careful what you post online, and so on—but the month is particularly helpful for organizations that receive a new set of young or naïve users on a regular basis, such as schools, and for making sure that people are reminded of these things on a regular basis.
That said, some experts think the industry could do better. “Someone in Washington (a new cybersecurity czar?) should be beating this crew with carrots and sticks, encouraging them to participate in a collective cybersecurity education effort,” writes Jon Oltsik, principal analyst at Enterprise Strategy Group, in Network World. “National Cybersecurity Awareness Month is really a token gesture with most of the effort coming from the public sector and those few companies (mostly in Washington) that profit from working with the public sector. A single month dedicated to cybersecurity awareness and led by a small group of public sector agencies and their private sector business partners won’t do.”
Oltsik calls on security vendors to take a larger part in efforts in this area—something that users of those vendors could also encourage. A more secure Internet is better for all of us.